Does Your Email Account Give Me Access To Your Bank Account?

Wow, I knew it was a problem, but the scope is mind-boggling. At least one of you out there is probably making this mistake. According to the security firm Trusteer, 73% of people use their banks passwords at other sites as well. You can read the article on MSNBC In addition to that statistic, Trusteer found that 42% of users use their banking ID and password on at least one other non-financial site.

Recently Rockyou.com coughed up 32 million email addresses and passwords. By logging into a person’s email account it is highly conceivable that one can find out their commonly used “ID’s. In fact, often by googling an email address I can find out “IDs” that a person uses.

In addition to the data breaches, a large number of people fall for phishing attacks in which they might just think they are giving the password to their Hotmail, Yahoo, or Gmail account, but in reality, due to poor password practices, they have given up everything. Stop for a moment and think… If someone really does need your password to your email account, do you really want to give them the password to your bank account too?

There are some interesting perspectives in the story about password management.

“Last year, analyst firm Gartner released a survey that reported similar results. It said two-thirds of consumers use the same one or two passwords across all Web sites they access. But Avivah Litan, who directed the Gartner survey, said that choice might not be as unreasonable — or as unsafe — as it seems. "They are making a choice for convenience over security," she said. "They are using a cost-benefit equation … and they don't want to try to remember 10 different passwords for everything they do. They don't think the trade-off is worth it, honestly."

Well, I think that Litan is making an incorrect assumption. I don’t believe most users are making a cost-benefit choice, I think that most are acting without thinking about the situation. Part of the reason they may do so is that they don’t know enough to consider the trade offs and they don’t know about password management tools they can use.

Amit Klein, chief technology officer of Trusteer makes a recommendation “As a more practical goal, he recommends maintaining three "families" of passwords — one for critical financial sites, a second for sites that store your personal information, and a third for generic log-ins.”

This is perhaps an acceptable compromise, but for financial and personal sites, such as banks, email accounts, social networking accounts, etc. I still recommend a password manager and unique passwords. Litan points out that if there is a keystroke logger then it doesn’t matter, except that the keystroke logger may be detected before you have used all of your different passwords, and not all keystroke loggers log all types of usernames and passwords. Some loggers are only looking for online games, or for banks.

Using your banking ID or password at multiple sites is not a very good idea.

With a good password manager, the most a keylogger will get is the vault key. And unless you use that as a password for something, or the keylogger has the ability to open and read passwords from your manager with the vault key, you shouldn't have too much of a problem. But it will still catch the passwords that you are creating (the keylogger), and is still a method of attack.
I totally agree about using password managers and not using the same password (or even common words for passwords). I've had one that was a +ti/&SXc or something along those lines for a password before. (munged and no longer used anyhow)
Have a great day:)
Patrick.

Lee

are there any password managers that are recommended over others? It's something I've always considered using, but a little paranoid voice in my head always asks "aah, but what if the password manager is compromised, then all your passwords are up for grabs".
i have recently read positive things about RoboForm's new cloud based offering, so you have the added bonus of taking those convoluted, encrypted passwords with you to any machine. It's in beta at the moment, but it's one I might consider when it's fully released.

Randy Abrams

I haven’t gone out an evaluated the options. I use Cygnus Password Corral based upon the recommendation of a knowledgable security expert I trust.

Mark Goldstein

Randy —

Take a look at lastpass.com. Cloud-based, encrypted storage. Multiple options for two-factor authentication including a very simple, free solution using a paper password. Linux, Mac, Windows. FREE. I have over 170 complex passwords encrypted with AES 256-bit keys.

Randy Abrams

Thanks Mark! I have my own concerns about keeping my passwords online, but if it is what it takes to get people to use different passwords for different sites then it is definitely a worthwhile security enhancement.

For our readers, I have known Mark for several years and his recommendation carries a lot of weight with me.

Nick

Using unique strong passwords is a key for all password security. For sure, you need a password manager if you use 10+ mixed passwords with all types of characters. I use Handy Password because it offers simple interface and is reliable enough. I use it as USB password manager, very handy. http://www.handypassword.com/